{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35441", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-06T21:36:07.737Z", "dateUpdated": "2026-04-06T21:36:07.737Z"}, "containers": {"cna": {"title": "Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-ph52-67fq-75wj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-ph52-67fq-75wj"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:36:07.737Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition. This vulnerability is fixed in 11.17.0."}], "source": {"advisory": "GHSA-ph52-67fq-75wj", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition. This vulnerability is fixed in 11.17.0."}], "id": "CVE-2026-35441", "lastModified": "2026-04-06T22:16:22.697", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:22.697", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/directus/directus/security/advisories/GHSA-ph52-67fq-75wj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "directus", "source": "cna", "vendor": "directus"}, "product": "directus", "vendor": "directus"}], "analysis": {"en": {"generated_at": "2026-04-07T01:57:17.414145+00:00", "value": {"mitigation_remediation": ["Update Directus to version 11.17.0 or later", "If immediate update is not feasible, restrict user roles to limit excessive alias use", "Enable GraphQL query rate limiting or token limits in the configuration", "Deploy monitoring to detect abnormal query patterns and harden resource limits"], "summary": {"action": "Apply Patch", "impact": "Denial of Service (resource exhaustion)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Directus installations running any version prior to 11.17.0. Users of Directus product by the Directus vendor are impacted. The issue exists within the GraphQL endpoints (/graphql and /graphql/system).", "description_and_impact": "Directus GraphQL alias amplification allows an authenticated user to repeat costly relational queries many times in a single request. By exploiting aliasing, the server executes a linear number of independent complex database queries, multiplying CPU, memory and I/O load. The result is a denial of service that can degrade or crash the service only through resource exhaustion. This weakness is classified as Unbounded Input and Memory Allocation.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no publicly known exploit yet. Attackers need only authenticated access, even with minimal read\u2011only permissions, to trigger the denial of service by sending a crafted GraphQL request with a large number of aliases. The lack of rate limiting and token limit insufficiency make exploitation straightforward under these conditions."}}}}, "created": "2026-04-07T06:53:46.066070+00:00", "updated": "2026-04-07T09:36:44.177485+00:00", "vendors": ["directus", "directus$PRODUCT$directus"]}